diff options
author | dinoex <dinoex@FreeBSD.org> | 2005-07-28 02:07:27 +0800 |
---|---|---|
committer | dinoex <dinoex@FreeBSD.org> | 2005-07-28 02:07:27 +0800 |
commit | 79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455 (patch) | |
tree | aef9b0a2447d5ee4ca7bdb735bfddef784d4ab98 /www/apache13-modssl | |
parent | 9570bd22e0c6b8a8314391e8ee18c0e4a0dafb36 (diff) | |
download | freebsd-ports-gnome-79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455.tar.gz freebsd-ports-gnome-79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455.tar.zst freebsd-ports-gnome-79c7dfd914ae1bd6e309eb9ceb0ea8c4900e6455.zip |
- Security Fix CAN-2005-2088
Diffstat (limited to 'www/apache13-modssl')
-rw-r--r-- | www/apache13-modssl/Makefile | 2 | ||||
-rw-r--r-- | www/apache13-modssl/files/patch-secfix-CAN-2005-2088 | 87 |
2 files changed, 88 insertions, 1 deletions
diff --git a/www/apache13-modssl/Makefile b/www/apache13-modssl/Makefile index 2a13920c5322..97a41ebdb8af 100644 --- a/www/apache13-modssl/Makefile +++ b/www/apache13-modssl/Makefile @@ -7,7 +7,7 @@ PORTNAME= apache+mod_ssl PORTVERSION= ${VERSION_APACHE}+${VERSION_MODSSL} -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES?= www security MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ ${MASTER_SITES_MODSSL:S/$/:mod_ssl/} \ diff --git a/www/apache13-modssl/files/patch-secfix-CAN-2005-2088 b/www/apache13-modssl/files/patch-secfix-CAN-2005-2088 new file mode 100644 index 000000000000..c4315400577e --- /dev/null +++ b/www/apache13-modssl/files/patch-secfix-CAN-2005-2088 @@ -0,0 +1,87 @@ +--- src/modules/proxy/proxy_http.c 2005/07/14 05:09:17 218987 ++++ src/modules/proxy/proxy_http.c 2005/07/14 05:19:15 218988 +@@ -121,7 +121,7 @@ + char portstr[32]; + pool *p = r->pool; + int destport = 0; +- int chunked = 0; ++ const char *chunked = NULL; + char *destportstr = NULL; + const char *urlptr = NULL; + const char *datestr, *urlstr; +@@ -338,7 +338,12 @@ + ap_table_mergen(req_hdrs, "X-Forwarded-Server", r->server->server_hostname); + } + +- /* we don't yet support keepalives - but we will soon, I promise! */ ++ /* we don't yet support keepalives - but we will soon, I promise! ++ * XXX: This introduces various HTTP Request vulnerabilies if not ++ * properly implemented. Before changing this .. be certain to ++ * add a hard-close of the connection if the T-E and C-L headers ++ * are both present, or the C-L header is malformed. ++ */ + ap_table_set(req_hdrs, "Connection", "close"); + + reqhdrs_arr = ap_table_elts(req_hdrs); +@@ -475,25 +480,40 @@ + } + + /* is this content chunked? */ +- chunked = ap_find_last_token(r->pool, +- ap_table_get(resp_hdrs, "Transfer-Encoding"), +- "chunked"); ++ chunked = ap_table_get(resp_hdrs, "Transfer-Encoding"); ++ if (chunked && (strcasecmp(chunked, "chunked") != 0)) { ++ ap_kill_timeout(r); ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, ++ "Unsupported Transfer-Encoding ", chunked, ++ " from remote server", NULL)); ++ } + + /* strip hop-by-hop headers defined by Connection and RFC2616 */ + ap_proxy_clear_connection(p, resp_hdrs); + + content_length = ap_table_get(resp_hdrs, "Content-Length"); + if (content_length != NULL) { +- c->len = ap_strtol(content_length, NULL, 10); +- +- if (c->len < 0) { +- ap_kill_timeout(r); +- return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, +- "Invalid Content-Length from remote server", +- NULL)); ++ if (chunked) { ++ /* XXX: We would unset keep-alive here, to the proxy ++ * origin server, for safety's sake but we aren't using ++ * keep-alives (we force Connection: close above) ++ */ ++ nocache = 1; /* do not cache this suspect file */ ++ ap_table_unset(resp_hdrs, "Content-Length"); ++ } ++ else { ++ char *len_end; ++ errno = 0; ++ c->len = ap_strtol(content_length, &len_end, 10); ++ ++ if (errno || (c->len < 0) || (len_end && *len_end)) { ++ ap_kill_timeout(r); ++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ++ "Invalid Content-Length from remote" ++ " server"); ++ } + } + } +- + } + else { + /* an http/0.9 response */ +@@ -612,7 +632,8 @@ + * content length is not known. We need to make 100% sure c->len is always + * set correctly before we get here to correctly do keepalive. + */ +- ap_proxy_send_fb(f, r, c, c->len, 0, chunked, conf->io_buffer_size); ++ ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL, ++ conf->io_buffer_size); + } + + /* ap_proxy_send_fb() closes the socket f for us */ |